Public Key Encryption with GnuPG

One of the most overlooked risks of using the internet is the fact that most of the time your data is as private as the writing on the back of a postcard. If someone wants to, and the data passes through their “hands” then they can read everything you have sent.

A lot of the time, this isn’t a problem and the way internet traffic is routed can make it challenging for a malicious sniffer to be sure they will get your traffic – but that same routing means you can never be sure that your data has avoided hitting a sniffer somewhere on the internet.

There is an element of protection where your data is staying inside a corporate network (such as inter-company email) but this is not always the case, and if you have a big organisation there is a chance that email is routed over the internet between mail servers. Sending email outside of your company is almost always going to be over the internet and at risk.

So, when you next send a confidential proposal to a client, or you have some orders that need arranging, remember that there is (technically) very little to prevent the information falling into the hands of your competitors.

If this is something you want to prevent, then you need to consider some form of Public Key Encryption. One of the best, and easiest, methods of this is to deploy GnuPG to all your staff, have them establish suitable credentials and share your public key with your business partners.

This is a very straightforward process – all you need to give your employees is access to the command line and they can run:

gpg --gen-key

Following the onscreen prompts enables you to quickly set up a “keyring” (which stores your own private keys and public keys you trust) and from that point on, encrypted messages can be exchanged with anyone else who has a public key available.

For normal use, you can happily accept the defaults presented as part of the install process but we would always recommend the following two steps:

  • Set the key to expire within a reasonable length of time (1 – 2 years) so that you can properly manage your employee’s key certificates.
  • Always create a revocation certificate as part of the process and store it in a safe place.

If you want more advice on encryption, or to discuss any special needs you, or your company may have over protecting data then get in touch with our specialist security consultants.

Halkyn Security

Halkyn Security Consultants.